Use of Plant Specific PSA to Evaluate Incidents at Nuclear Power Plants | IAEA

IAEA-TECDOC-611

Use of plant specific PSA to evaluate incidents at nuclear power plants

INTERNATIONAL ATOMIC ENERGY AGENCY

USE OF PLANT SPECIFIC PSA

TO EVALUATE INCIDENTS AT NUCLEAR POWER PLANTS IAEA, VIENNA, 1991

IAEA-TECDOC-611 ISSN 1011-4289 Printed by the IAEA in Austria

June 1991

PLEASE BE AWARE THAT

ALL OF THE MISSING PAGES IN THIS DOCUMENT

WERE ORIGINALLY BLANK

FOREWORD

One of the possible applications of the plant specific probabilistic safety assessment (PSA) is its use in the analysis of operational events at the plant. The methodological development in that area was initiated recently in the framework of the IAEA's Incident Reporting System where determination of the safety significance of the event is essential for optimizing feedback of operating experience.

This report provides details of the methodology and procedures to be used in event analysis. The report also contains three case studies which have been performed and summarizes lessons learned from those case studies. The results (event probabilities) obtained using plant specific PSA and the results of the analysis of the same events in the framework of the Accident Sequence Precursor (ASP) programmes (generic models) were compared and commented on.

This document is intended to be used by experts involved in both event analysis and PSA. Its general purpose is to summarize current methodological development and encourage and promote use of plant specific PSA in event analysis internationally. Use of plant specific PSA for event analysis would both allow better understanding of the vulnerabilities of the plant given the event occurrence and check the PSA model for appropriateness and

completeness. In that respect, the methodology described in this report would benefit both operational experienced analysts and PSA specialists.

This report was prepared during a consultants meeting held in Vienna (24-28 September 1990) by Mr. Patrick W. Baranowsky, United States Nuclear Regulatory Commission (NRC), Washington, D.C., and Mr. Martin B. Sattison, Idaho National Engineering Laboratory, Idaho Falls, Idaho, USA. The IAEA technical officers responsible for this project were Mr. Bojan Tomic and Mr. Valeri Tolstykh from the Safety Assessment Section of the IAEA's Division

of Nuclear Safety.

EDITORIAL NOTE

In preparing this material for the press, staff of the International Atomic Energy Agency have mounted and paginated the original manuscripts and given some attention to presentation.

The views expressed do not necessarily reflect those of the governments of the Member States or organizations under whose auspices the manuscripts were produced.

The use in this book of particular designations of countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their

authorities and institutions or of the delimitation of their boundaries.

The mention of specific companies or of their products or brand names does not imply any endorsement or recommendation on the part of the IAEA.

CONTENTS

1. INTRODUCTION ... 7

1.1. Background ... 7

1.2. Purpose ... 7

1.3. Scope and limitations ... 8

2. INCIDENT ANALYSIS METHODOLOGY AND PROCEDURES ... 9

2.1. Selection of incidents for analysis ... 9

2.2. Methodology and procedures ... 10

3. CASE STUDIES ... 15

3.1. Incidents selected for case studies ... 15

3.2. Summary of results ... 15

4. LESSONS LEARNED FROM THE CASE STUDIES ... 18

APPENDIX: DETAILS OF CASE STUDIES Case study 1 : Potential inoperability of both charging pumps ... 23

Case study 2: Reactor trip with one high pressure injection train and one auxiliary feedwater train unavailable ... 43

Case study 3: Inoperable power operated relief valves ... 57

REFERENCES ... 69

CONTRIBUTORS TO DRAFTING AND REVIEW ... 71

1. INTRODUCTION

1.1. BACKGROUND

A high number of plant specific probabilistic safety assessments (PSAs) which have been completed in the last few years make it appealing to utilize them for other purposes. One of the possible purposes would be the analysis of the operational events occurring at the plant for which the plant specific PSA study exists.

Activities in this area have been initiated by the IAEA in the framework of the Incident Reporting System (1RS). The 1RS system has grown considerably

in the recent years in terms of quality of the reports and quantity (number of reports shared). Since the events reported to the 1RS can differ

substantially, optimizing the experience feedback requires selection of those having higher safety significance. In that respect, a tool which would be.

more precise, such as the recently developed International Nuclear Event Scale, may be needed.

In order to explore the possible application of PSA studies for event analysis, the IAEA organized a consultants meeting in May 1989, which discussed possible approaches and provided a general framework for

methodological development. The meeting also proposed that several case

studies be performed, including calculation of events probability. The report of the meeting was presented to the TCM of 1RS national co-ordinators in

October 1989, who supported it and recommended further activities.

The first case study was performed in December 1989. This involved calculation of event probabilities from the PSA report itself, i.e. without use of computerized cut-set manipulation tools, which resulted in somewhat

imprecise results. In order to explore the potential of PSA-based event

analysis when advanced computerized support is used, the second case study was undertaken and the results are described in this report.

1.2. PURPOSE

The purpose of this work is to develop and document a procedure for the analysis of incidents at nuclear power plants using a plant specific PSA. The

intent is to be able to characterize the relative importance of incidents in

the light of risks perceived from the original PSA and to derive insights to help evaluate plant specific design and operational problems as incidents occur. This work is not intended to replace the traditional PSA profile of plant core damage likelihood or to provide a revised plant "risk" estimate for comparison of conformance to plant safety objectives. It is intended to

provide a method and demonstration of a procedure which can be used to determine safety significance and insights of operating reactor incidents.

1.3. SCOPE AND LIMITATIONS

The selection of reactor incidents and analyses was limited to events which have been found to be risk significant by others and which have occurred at plants for which NRC-sponsored risk assessments [1] have been performed.

In addition, it was decided to select events of fairly recent vintage (1988 and 1989) to give more relevance to the results. The existing PSAs were used and were assumed to be up-to-date and accurate. Thus, only PSA model or data changes indicated by the incident were made.

Where potentially extensive modeling or data analyses would normally be required to accurately estimate accident likelihood, a simplified approach was used which allowed timely execution of the event analysis procedure and was also in keeping with the objective of identifying potentially safety

significant incidents and associated insights. The methodology employed in the development of the original PSA should be adequate and compatible with the procedures identified herein, if greater precision on certain aspects of the

analysis are desired. This is especially true for recovery assessments.

Additionally, only a modest effort was made to obtain specific details of plant design and operation brought into question by the incident under

reveiw. This aspect could be expanded to satisfy the specific objectives and level of precision of future analyses, but for this exercise, approximations and sensitivity analyses were sufficient to demonstrate the procedure and still properly characterize event significance and insights.

2. INCIDENT ANALYSIS METHODOLOGY AND PROCEDURES

2.1. SELECTION OF INCIDENTS FOR ANALYSIS

The identification of incidents which are potentially significant

requires some qualitative screening of incidents to select those of most value for analysis. The methodology and procedures covered in this report are of most value in the analysis of accident sequence precursors. That is/ those

incidents which involve portions of core damage sequences which are part of a PSA. Generally, any incident, which degrades plant functions that provide portection against core damage or results in unexpected or significant

challenges to those functions are candidates for analysis. The methodology, efficiency and speed of tools executing the methodology, and resources

available provide the limitations on what can be analysed and how many incidents can be analysed. Past experience with the Accident Sequence Precursors [2] programme in the United States has suggested that incident screening criteria based on PSA insights can be of value to limit the number of plant anomalies and malfunctions for which incident risk analyses would be of value. This would not and should not preclude considering the more

complete set of equipment and operations-related problems in trends and patterns analyses or other reliability assessments.

It is suggested that the methodology and procedures used in the case studies in this report are most useful when PSA results and insights tend to raise questions about the incident. These incidents will normally involve safety function failure or degradation, events occurring at a frequency

greater than anticipated based on the PSA, multiple failures or degradations in several systems simultaneously, or events that were not well modeled in the PSA.

There are also events which are not amenable to analysis by the methodology and procedures used in this report. These involve incidents outside the scope of the PSA which by their nature are very difficult, if not impossible, to represent within the available PSA framework, model, or

methodology. These involve such things as quality assurance programme deficiencies or other programatic breakdowns, loss of design margin, and phenomenological incidents which may raise questions about the functional capability of systems and structures.

2.2. METHODOLOGY AND PROCEDURES

This section documents a methodology for evaluating plant incidents that have a safety significance potential using an existing plant specific PSA.

For the three example evaluations in the appendix, the NUREG 1150 PSA models for Sequoyah Unit 1 [3] and Surry Unit 1 [4] were used.

This methodology was demonstrated on the typical large fault tree/small event tree PSA models of NUREG-1150U]. This type of PSA has the advantage of using sequence cut sets consisting of basic events that can be directly

manipulated in the course of the evaluation. However, the approach using a large event tree/small fault tree PSA would be the same, only the specifics of the model manipulations would be different.

This methodology relies heavily on the recalculation of sequence

frequencies, regeneration of system and sequence minimal cut sets when needed, and the calculation of several importance measures. These operations

generally require the use of a computer. Thus, a computer-based PSA model is almost a must. Hand calculated approximations may be possible if only a copy of the PSA report is available.

The example evaluations presented in this report were performed using microcomputer versions of the NUREG-1150 PSAs. These computer-based models were developed by the US Nuclear Regulatory Commission for uses such as this.

The model manipulations and calculations were performed using IRRAS 2.5 [5].

Several other PSA codes exist that can perform similar tasks. Any code would do fine as long as it can regenerate system and sequence cut sets and recalculate sequence results using modified basic event failure data.

The overall approach to incident evaluation using plant specific PSA models involves the following:

- Understanding the incident and its safety implications - Relating the incident to the PSA models

Modifying the models to reflect the incident

Calculating new PSA results and drawing insights from these results.

10

Understanding the incident and its safety implications requires a knowledge of plant operations and a knowledge about the contents of the specific PSA. Plant operations knowledge allows the analyst to determine if the incident impacted or had the potential to impact a safety function.

Knowledge of the specific PSA is required to determine if the potential impacts are within the scope or resolution of the PSA models.

To relate the incident to the PSA, the analyst must determine which accident sequences are involved or could be involved, what fault tree models and basic events model the components or operator actions of concern, and what recovery actions could be applied or are made impossible. Along with this is the need to make changes to the base PSA models to reflect the incident. This could involve restoring accident sequences that were originally truncated out of the final results, changing basic event probabilities, and evaluating new human error rates.

Once the model modifications are made, then they can be processed to determine new results conditional on the existance of the incident.

Finally, analysis of the results must be performed to gain insights

pertaining to the safety implications of the incident. These insights include a comparison of the conditional core damage probability to the overall core damage frequency, determination of the new dominant contributors to the core damage frequency, and the new importance of remaining systems/components/

operator actions to prevention of core damage.

The actual analysis steps conducted by this methodology and employed in the three case studies documented in the appendix are:

1. Review the incident. Based on what actually happened during the incident, identify the chronology of events, identify all equipment failures (including those in place at the initiation of the incident), degradations and equipment unavailabilities. Also note all operator actions taken, especially those not covered by procedures and training.

It may also be worthwhile to review problems or related conditions which occurred or were identified for some time period (like 1-2 weeks) before and after the incident to be sure that hidden complications are not left unaccounted for in the analysis.

2. Using the event tree models in the PSA, identify all event tree sequences affected by the incident. Use the full event tree models and not just the subset of accident sequences retained by the original PSA. Many times the incident will impact normally very reliable systems that are called upon in very low frequency sequences. To properly identify the affected accident sequences, the analyst must know which event tree top events model the equipment and operator actions involved in the event being analysed. The sequences with a failure branch for at least one of these top events are the sequences of concern.

3. Review the identified PSA sequences and their cut sets to determine if the affected systems and basic events were retained in the original PSA results. Most PSA reports only retain the accident sequences and cut sets that contribute to at least some minimal degree to the core damage frequency. Thus, cut sets consisting of normally very reliable

components may not be retained, causing a reduction in the detail of the PSA model in sequences and systems pertaining to the event being

analyzed. If the necessary sequences or cut sets were not retained, then they may have to be recreated. This involves generating the cut sets for each system in the missing sequences (if not already in the original model database), being sure to set cut set cutoff criteria so that affected basic events and cut sets are retained. New sequence cut sets must be generated even though the sequence is in the database, if cut sets containing the basic events of concern have been truncated out of the list of dominant cut sets retained in the PSA.

4. With the proper basic events appearing in the cut sets for the

appropriate sequences, the next step is to determine the best estimate failure probabilities for all basic events impacted by the incident.

Basic events representing failed components should most likely be modeled

as a failed house event as opposed to an event with a probability of 1.0. The failed house event will actually modify the Boolean logic of the system or sequence to correctly generate conditional cut sets. * Using this approach, the failed component will not be present in the final cut set equation.

* By setting the probability to 1.0, one can introduce overlap between cut sets and double count some failure combinations.

12

For incidents involving component malfunctions or unavailability but no accident sequence initiating event, the actual or estimated duration at the component unavailability must be taken into consideration. This may be done by multiplying the accident sequence initiator frequency by the amount of time the component was determined to be unavailable.

Alternatively the actual or estimated component unavailability could be input to the appropriate cut set basic event. This would require

retaining the "failed" component in the cut set equation i.e. not using a failed house event to modify the Boolean logic.

For equipment or operator degradations, detailed systems analysis or human reliability analysis may be required to get an acceptable level of precision and rigor in the revised failure probability. However,

conservative screening or bounding values may be used as a first

approximation. Only if the results indicate that the screening values are important is more detailed analysis required. One pitfall to watch for is the creation of impossible failure combinations as a result of the incident. The removal of one train of a system from service may make testing and maintenance of the other train impossible or at least administratively restricted. Cut sets containing such test and maintenance actions should be removed from the cut set list, unless evidence associated with the incident or a review of plant operations indicates a reasonable potential for simultaneous outage of redundant trains or components whose outage is restricted by Technical

Specifications or other administrative controls.

5. After assigning the proper failure data to the basic events and

initiating events, the new accident sequence conditional probabilities can be calculated. This is done by quantifying the new cut set

expressions with the new failure data. At this point potentially important sequences which may be affected by incident recovery actions should be identified.

6. Determine the appropriate recovery actions to be applied to the sequence cut sets (if any) based on the events of the incident, personnel

available, and plant operating and emergency procedures.

The determination of the failure probabilities may require detailed analysis. Note that for component unavailability situations which have existed through several shifts, the recovery analysis should consider any

significant variations in personnel and skills, or other factors which could impact recovery. The recovery actions credited in the original PSA should be reviewed to assure that the incident being evaluated does not impact the recovery action failure probabilities or render any recovery actions impossible.

7. Calculate new importance measures for the basic events in the new sequence cut set lists. The Fussell-Vesely, risk reduction, and risk increase importance measures can provide the desired insights. The Fussell-Vesely importance indicates the percentage of the conditional core damage probability involving the event for which it has been

calculated. The risk reduction ratio indicates the amount of reduction in the conditional core damage probability to be gained if the event was made perfect (failure probability = 0.0). The risk increase ratio

indicates the factor by which the conditional core damage probability would go up by if the event was totally unreliable (failure probability =

1.0).

8. Document the analysis, review the results and conduct sensitivity analyses as necessary. The documentation should be clear, concise and traceable. Review the results to determine key contributors in terms of dominant accident scenarios and component/operator actions important to core damage. Use the importance measures to guide the review. Also identify the key features that prevented the incident from becoming more risk significant by using the risk increase importance measure.

For the key contributors that are subject to judgement or uncertainty, sensitivity analyses may be conducted to determine if the uncertainties could significantly influence the results and may conclusions regarding the incident.

The case studies documented in the appendix followed these steps and serve as examples for the types of analyses and documentation that can come out of this methodology.

14

3. CASE STUDIES

3.1. INCIDENTS SELECTED FOR CASE STUDIES

Three incidents were selected for the case study applications of the methodology and procedures described in section 2.2. These are:

(1) Potential inoperability of both charging pumps at Sequoyah Unit 2 on February 12, 1988.

(2) Reactor trip with one charging system train and one auxiliary feedwater train unavailable at Sequoyah Unit 2 on May 19, 1988.

(3) Inoperable PORVs at Surry Unit 1 on April 15, 1988.

Incidents (1) and (3) involve system or component reliability and

availability degradations which affect vital safety functions - high pressure injection (HPI) at Sequoyah and pressure relief/feed and bleed at Surry.

Incident (2) involves a transient with equipment unavailable in two separate system trains which perform complementary safety functions.

The incidents which occurred at Sequoyah Unit 2 were analysed using the Sequoyah Unit 1 PSA. While it is preferred to use the specific PSA model for the plant which experienced the incident, it is believed that the

dissimilarities between Units 1 and 2 are not significant for the incidents selected.

3.2. SUMMARY OF RESULTS

A summary of the core damage results for each of the case studies is provided in Table 3-1. This table also provides the original PSA results and the results obtained from the Accident Sequence Precursor (ASP) program analysis of the selected events for comparison. The comparison of the case

study with the PSA and ASP results has a different implication and interpretation which are discussed below.

TABLE 3-1

SUMMARY OF CONDITIONAL CORE DAMAGE PROBABILITIES AND COMPARISON WITH PSA AND ASP

Case Study Results

PSA Results

ASP Results Case Study 1

Transients Small LOCAs*

ATWS

3.4 x 10 1.4 x 10 8.2 x 10

-9 -6 -6

-8 -8 1.5 x 10

3.8 x 10-4 -6

Case Study 2

Transients 1.8 x 10-6

1.5 x 10^-6 1.3 x 10-5 Case Study 3

Transients Small LOCAs ATWS

1.3 x 10 8.0 x 10 2.0 x 10

-5 -7 -7

1 x 10-6

1.5 x 10-5

* Includes steam generator tube rupture sequences

The case study and the ASP results can be compared directly since they are measures of conditional core damage probability given the incident has occurred. However, the ASP results are in the form at an incremental change

in the conditional core damage probability where as the case study presents the total sequence core damage probability. The incremental change can be obtained by subtracting the original sequence core damage probability from the new core damage probability. A comparison of the case study and original PSA

results involves two somewhat dissimilar quantities. The case study results are in the form of probabilities where as the PSA results are in the form of frequencies or probabilities per year. If the PSA results are integrated over time (e.g. one year), then they can be compared with the conditional core damage probabilities of the case studies. Using one year conveniently allows

the core damage frequency to be about the same as the core damage

probability. The implications of this comparison are as follows. If the 16

conditional core damage probability of the incident is larger, by about a factor of ten, than the frequency of core damage for the same sequence in the original PSA, there may be plant design and operational factors that are more risky than the original PSA model implies. If the sequence conditional core damage probability results are greater than the total core damage frequency of the PSA, then the perceived plant risk derived from the PSA may be

underestimated. These two inferences can only be valid if the PSA and incident analysis are performed with a comparable methodology. The

comparative considerations sighted above are based on uncertainties associated with current vintage PSAs. A more rigorous statistical comparison may also be performed, if desired.

In case study 1 it was found that small LOCAs with failure of high

pressure injection and ATWS sequences with failure to borate were potentially significant because of the common cause failure of both charging pumps. The PSA did not include a charging pump common cause failure (CCF) event (although other charging system CCF considerations were included). It may be concluded that the affected sequences and importance of the charging pumps were

potentially underestimated in the PSA. Corrective actions taken at the plant appear effective in reducing the future CCF of these pumps. The ASP results are much higher because of model differences. Specifically, in the ASP

analyses the CCF of the charging pumps was treated as a loss of all high pressure injection, when in fact, the safety injection system was fully

operational. Also, ASP models do not include ATWS sequences which were found to be the most affected in the case study.

In case study 2 the conditional core damage probability for the incident was only slightly higher than that derived in the PSA for the same sequences.

However, it was observed that this relatively low conditional core damage

probability was dependent on operators restoring inoperable systems. Over one

order of magnitude in core damage probability reduction were accounted for by the recovery analysis. Because of the uncertainty in this area, inferences regarding the event significance prior to recovery may be of value. The ASP results are much higher because of differences in system models and event recovery. Very limited recovery credit was given in ASP. As part of the case

study, information was obtained on the nature of actions required to make

either the charging system or AFW train operable. This information was used to estimate a recovery likelihood based on data in Ref. [6].

The third case study involved a potential common cause failure of the PORVs which was included in the PSA. The conditional core damage probability

is relatively high, especially for transients where feed and bleed may be required for core cooling. Since the condition of the PORVs would not

normally be detected for an operating cycle/ which is usually over one year, the risk exposure interval for this event is relatively large. There was very good agreement between the ASP results and the case study as to both

conditional core damage probability and sequence characteristics.

4. LESSONS LEARNED FROM THE CASE STUDIES

The analyses performed and described in the previous sections resulted in the identification of several lessons which are as follows:

1. A reasonable and défendable evaluation of safety significance of incidents using PSA is possible if the incident documentation is well prepared and if a well-documented PSA study exists.

2. In cases where the reports do not provide all the information to accurately structure the event (sequence timing, equipment

identification, flowsheet diagrams, etc.), PSA experience can be used to develop bounding models that encompass the range of reasonable

possibilities.

3. In some cases it was not possible to perform the evaluation using only the existing PSA model results because:

- the event reported was different from those considered in the PSA (new scenarios created by operator action, unexpected system interactions, different recovery actions).

in some cases it was necessary to recreate previously insignificant accident sequences which required additional evaluation and

calculation.

18

In such cases experts were needed with both PSA background to do the

necessary additional analysis and with a plant design and operations background to provide additional information concerning the event (level of dependency, common mode, etc.).

4. When the event assessment is aimed at an analysis of the behaviour of the plant as a whole, simultaneous occurrence of additional dependent or independent events have to be considered. The plant-specific PSA is the most appropriate tool for the selection of other credible occurrences since it models the plant design and operation in an integrated way.

5. If the analysis is to be done on a plant for which there is no PSA study available, a simplified model may be used. An example of this approach is the US ASP program. However, the lack of plant-specific details in the models precludes drawing many of the insights associated with risk reduction and component level contributors to risk. Accurate modeling of a specific incident at a specific plant is hindered due to the inability

to properly apply revised failure probabilities and recovery actions.

6. Several lessons were related specifically to PSA studies:

- It was generally concluded that PSA studies vary in the handling of system dependencies (which were not considered in the design phase) and common mode failures. The process of conducting incident

evaluations will highlight common mode failures that have occurred but were not properly modeled in the PSA.

Event reporting systems such as the 1RS and the LER system in the US could be beneficial for PSA practitioners to identify new sequences, new failure modes of components and new recovery actions.

Incident evaluations using plant-specific PSAs could be more easily accomplished if the PSA:

(1) Retained more details of the plant systems and components in the cut sets.

(2) Retained the logic of the sequences in the event trees, even for sequences truncated out of the PSA.

(3) Retained the failure data for all basic events in the fault trees, even if they do not show up in any of the sequence cut sets retained after truncation.

Appendix

DETAILS OF CASE STUDIES

CASE STUDY 1

POTENTIAL BMOPERABILITY OF BOTH CHARGING PUMPS

Sequoyah Unit 2 (12 February 1988) LER 328/88-005 Rl

Description

While shut down, smoke was discovered coming from the speed increaser

unit of centrifugal charging pump (CCP) 2A-A of the charging system. The pump was shut down and pump 2B-B was started.

Upon disassembly of the speed increaser, internal component damage was discovered. Two gland seal retaining bolts inside the lube oil pump had

backed out, one bolt coming disengaged and falling to the bottom of the pump casing. The seal allowed air in-leakage and oil outflow resulting in

insufficient flow to the speed increaser unit. After pump 2A-A was repaired and returned to service, pump 2B-B was also found to have the same problem.

The two trains of the lower head SI system were available.

Additionally, it was discovered that the speed increaser lube oil pumps (1800 rpm) had been mistakenly replaced with lower rated (900 rpm) pumps.

These lower rpm pumps had two problems: 1) the type of gears used in the 900 rpm pumps might not be able to adequately pump the oil when being driven at 1800 rpm, causing potential cavitation, and 2) the compression packing seal used in these pumps requires occasional adjustment as the packing wears. If these adjustments are not made, the gland seal bolts will become loose, allowing air in-leakage and resulting in insufficient oilflow to the speed increaser unit.

Corrective action was taken to replace the 900 rpm pumps with the proper

1800 rpm pumps, and the speed increaser internals were inspected and replaced

as necessary.

NOTE: In this document the units used are:

psi [6.895 x 103 Pa], ° F [-32 x 5/9 °C] and rpm [1 rev./rain].

A summary of initial conditions and equipment failures is provided in Table Al-1. The full incident description (LER 328/88-005 Rl) is attached to this case study.

TABLE Al-1

INCIDENT CHRONOLOGY, EQUIPMENT FAILURES, AND OPERATOR ACTIONS

Initial Conditions

Mode 4, 0% power

Reactor Coolant Pressure 350 psi Reactor Coolant Temperature 247 F Equipment Failures

2A-A CCP failed on February 12 at 11.33 repaired/operable on February 15 at 18.57 2B-B CCP started on February 12 at about 11.33 tagged out of service on February 17

incipient failure condition noted

Plant Design and Operational Considerations

The charging system consists of two indépendant trains with high head centrifugal charging pumps. A simplified schematic of the system is shown in Figure Al-1. The charging system, in conjunction with the safety injection system, is used to maintain adequate reactor coolant system inventory for a spectrum of small break loss-of-coolant accidents. If a small break LOCA occurred at full operating pressure and the CCPs were not available, then the operator could depressurize the RCS if necessary, via the pressurizer spray

system or by opening the power-operated relief valves, to achieve 1,400 psi

RCS pressure where the safety injection (SI) pumps could be utilized for emergency core cooling. The charging system also serves to provide emergency boration for a number of transients including anticipated transients without scram (ATWS) and main steam line break (MSLB).

24

PS-01

FO FO FCV FCV (2 132 tt til

FKMfHR PUMP IB B <, DISCHARGE

flWST j

icveTi»

£^3 PS-04 LCV U 136 Ei

PS- H J?-É PS-» PS-gt PS-23

— Q rj O

S »?« • C*3 ' "^^ -1 FCV FCV

£311 634a

FKCI

asctPUM

fcJue PS-15

^9^

504

PS-)7

~ Fcv " Fcv" " "Lô"

tH7 U7 63 131

£|f

HAflGE ' FCVIZ>

Ul

PS-OS

uizi 05:!4

TONOfltW.

hMXEUPANO FO" Û si SEAL KIECTION

amFCV

PS->g

NOTES: (I)NOHMALLY OPEN, POWER REMOVED

(2) WILL " '— ——... — - — - — -NOT OPEN UNLESS TRAINED SUMP ISO. VALVE (FCV 63-73 OR 63-72) IS FULLY OPEN, AND SI M INFLOW VALVE 63-3 IS FULLY CLOSED OR BOTH SI M INFLOW VALVES 63-175 AND 63-4 ARE FULLY CLOSED

FIG. A1-1. Simplified schematic of charging system.

to

Incident Modeling

This incident has been modeled as a failure of both CCPs. The failure probabilities were calculated assuming that a degraded condition which would result in pump failure on demand, would exist for one-half of a surveillance period (360 h) on the average. Since the second pump actually performed its function when demanded while in an incipient failure condition, its failure probability was looked at both assuming that it would have failed on demand if required for a transient or LOCA and with the assumption that the incipient failure condition would not alter appreciably the failure probability derived in the PSA. These two cases provide an upper and lower bound treatment of the potential common mode failure indicated by the incident.

The failure of one or both CCPs potentially affects sequences in the following event trees: T , T„, T , T , T , ATWS, Sⁿ, S_ and S_.

1 2 3 s g r d e 1 2 3 Both high pressure injection (D , D , D , D ) and high pressure recirculation (H ) functions are potentially affected by the failure of

CCPs. The potentially affected sequences have been identified in Figures Al-2 through Al-10. Because the CCPs were of limited importance in the original

PSA, the dominate accident sequence results (cut sets) did not contain terms

with basic events involving CCP failure to adequately cover the sequences with functions impacted by CCP failures. Therefore, the original system and

function fault trees were reanalysed with high failure probabilities for the CCPs. A revised set of dominant accident sequences and associated cut sets were derived.

The failure of the CCPs was considered to be non-recoverable, and as such, no pump recovery analysis was required. Operator actions involving

reactor depressurization and use of the SI system were already included in the

model and also required no further analysis. It was recognised that sequences

involving top event H were only possible if top event D was successful. In the original PSA, H was mainly composed of operator errors and common cause failures affecting the charging system and safety injection system in the initiation of the recirculation mode. CCP failure to start and failure to run were included in top event D. Since the CCP failure to run considerations were included in the injection phase (D), it is apparent that H sequences will not be noticably impacted as currently modeled in the PSA. Therefore,

H sequences were not reanalysed. Also, since the S and S sequences

were functionally the same, these two LOCA initiators were combined.

26

LOSP T1

RPS K

RVs CLOSE

01 AFW 2M SGS

L1 SEAL IMJCT FLOU

03

ecu

THRHL BARR

W HP1 01

PORVS OPEN

P1

LPI/R H3

HPR

H2 Sequence (CORE) COHHENTS |

1 T1

I L. — , ————————————— 2. r 103 ' * rrn^m

I —————— 6. TU1H3 7. T1L1P1

1 ———— 9. UT1Q1

, , . , „,.„„_ „,,._.,. ,.10. W

OK OK OK CO CO CD CD

SEAL VULN

XFER TO S2 XFER TO ATWS

FIG. A1-2. Event tree for T] — loss of offsite power.

LOSS OF HFW

T2 RPS

K RVs CLOSE

01 AFU 2/4 SGS

L1 SEAL INJCT FLOW

03

ecu

THRHL BARR

U HPI 01

PORVS OPEN

PI

LPI/R H3

HPR

HZ Sequence (CORE) COHHENTS |

1. T2 OK

OK OK CD CO CO CD

SEAL VULN

10. T2K

XFER TO S2 XFER TO ATWS

FIG. A1-3. Event tree for T, — loss of main feedwater.

JtlENt U/HFU

& PCS T3

RPS K

RVs CLOSE

01 AFW 2/4 SGs

L1 HFU

H SEAL INJCT

FLOU 03

ecu

THRHL BARR

U HPI 01

PORVs OPEN

PI LPI/R

H3 HPR

H2 Sequence |COREJ COMMENTS |

-«. T3L1 -5. T3L1H -7. T3L1HH3 - 8. T3L1HP1 .9. EQ3S3 -10. T3Q1 -11. T3K

OK OK OK OK CO CO CO CD

SEAL VULN

XFER TO S2 XFER TO ATWS

FIG. A1-4. Event tree for T3 — turbine trip with MFW initially available.

LOSS OF DC

BUS TDC

RPS K

RVs CLOSE

01 AFW 2/4 SGs

LI SEAL INJCT FLOW

D3

ecu

THRHL BARR

W HP1

01

PORVs OPEN

PI

LPI/R H3

HPR

H2 Sequence |CORE| COMMENTS |

• ——— - ——— 1. TPC

6. TOCL1H3 7. TDCL1P1

0 Tnrnl

in, rrirr

OK OK

* *

OK CD CD CD CD

TDCI, TOCIt SEAL VULN

XFER TO S2 XFER TO ATUS

FIG. A1-5. Event tree for TDCX — loss of DC bus.

8GTR T8G

RPS K

HPI 01

AFH 2/3 SGS L

OPER DEPRZ

RCS OO

RVS CLOSE

Ql

STH GEN INTES

QS

LPI/R H3

HPR

H2 Sequence JCORBJ

I

I

— i —— ::

2.

5.

, ————— ... 6.

7.

o

' 9.

10.

11.

„ ... ...,, .,, , 12.

14.

« •*

————————————————— 18.

tpaana TUrtni T«nnin^

ftiarini oa TBGO0 TanDnna Tunnnni TSGODQIHZ]

Tonrttini ttt fpEtAnnm no TSGL THfim TBGD1OSI TSGD1QU TSGDIODJ T8QD1L 1

tBXJEJS^B£S*J

TSGK

OK OK OK CD CD OK CD OK CD CD CD CD OX CD CD CD CD CD

FIG. A1-6. Event tree for steam generator tube rupture.

28

MED LOCA

SI

HPI D2

LPI/R H4

HPR

H2 Sequence | CORE

OR CD CD CD

FIG. A1-7. Event tree for S, — medium LOCA.

SMALL LOCA

82

RP8 K

HPI 01

AFff 2/4 SOB

LI

FORVa

OPEN PI

CONT BPRAY IHJCT

FI

OPER DBPR8

RC8 OO

LPI/R H3

HPR

H2 Sequence {CORBJ COMMENTS |

1. 82_

2. ^2H2J 3. S2K3 4. S2FI 5. 82FIH3 6. 82FIOD 7.]82FIODH2|

8. 82FIODH3 9. B2LI 0. |B2L1H2|

-11. S2L1H3 -12. B2L1P1 -13. (s2Di|

-14. B2K

OK CD CD OX CD OX CD CD OK CD CD CD CD

XFBR TO ATffB

FIG. A1-8. Event tree for S² — small LOCA.

pr

5HALL LOCA

S3 RPS

K MPI Dt

SO»

LI PORV«

OPEN PI

SPRAT IHJCT Fl

5PtT

CN1RL SPRAY DC'

5PÈT

ÄPRZ RCS

00 RHR U1

LPI/R HPR

H3 HZ Sequence |CORE| COMMENTS i .... 1. S3 OK

... . . . » «"« «*

3. S3U1H1 m

.. .. A. SJOOH3 rn

-_| ——— ..7. S30C OK Lmmm 8. [SSOCHZJ CO

9. S30CH3 CD in «tti nr

it «nul n»

-12. S3F1U1H3 CD

. I n. STFICP OK

LBMMI«. IS3FIOOH3 CO 15. SJFIOOH3 Pf) _.|,.._ ...16. SÎL1 OK

18. S3L1N3 CD

«0 ell lot i-n

———— 21. S3K -- XFER TO AIWS

FIG. A1-9. Event tree for S3 — very small LOCA.

ATWS IK

HIU R

PUR LEVEL

PL MIC LOW l\

HIC UHF Z

TBT T

PPR PZ

AFU 3/4 SGs

LZ RVC

QZ HP t

04 Sequence ] COR^

1 & t ivo tw

' 3. JTKRO«) CD

——— | ——— «. ÎKRQ2 OK 6. TKRL2 CO

———————————— 7. TKRP2 CO -._. . ... 8. TKRT CO

———————————— 9. TKRZ CD . 1". T*P71 f*

——— | ——— 1Z. TKRZ102 OK Li.^13. (TKRZio2D(| CD

U. TKRZ112 CO ... - . ,.15. TKRPL OK

1 1'. TKRPLQ2 OK L^— .18. |TKRPtQ204| CD

19." TKRPL12 CD ... _ 20. TKRPLP2 0)

FIG. A1-10. Event tree for TK — anticipated transient without scram.

30

No accident sequence initiators occurred during the interval in which the CCPs were potentially inoperable.(i.e. incapable of performing their design basis function given the occurence of an accident initiator). Therefore it was necessary to estimate the likelihood of an accident sequence initiator occuring during that interval. It was assumed that the CCPs were shown to be fully operational during the previous surveillance test about one month

earlier. It was further assumed that the CCP degradation occured as a

constant failure rate process. Under these conditions the CCPs would be in a failed state for one-half the surveillance interval at one month or

4.1 x 10 years. The frequency of each accident sequence initiator_2 (years ) was multiplied by the calculated exposure interval to derive an estimate of their probability of occurance during the time the CCPs were assumed to be inoperable.

The basic event and initiating event probabilities used in the analysis are provided in Table Al-2.

TABLE Al-2. BASIC EVENT PROBABILITIES

Event PSA Incident

CHP-MDP-FR-2AA 3 x 10~ house event (1.0) charging pump 2A-A

fails to run

CHP-MDP-FS-2BB 3 x 10~ house event (1.0)

charging pump 2B-B 4.1 x 10_2

fails to start (sensitivity 1) 3 x 10~3

(sensitivity 2)

IE IE x 4.1 x 10~2

Initiating Events

Analysis Results

The conditional probability associated with this incident is about 1 x 10 . The dominant sequences involve ATWS and small LOCAs including steam generator tube ruptures. A listing of the dominant sequences and

associated probabilities is provided in Table Al-3. Supplemental sensitivity analyses were performed to investigate the sensitivity of the assumption that the 2B-B CCP would have failed if demanded during an accident. This pump

TABLE Al-3. ACCIDENT SEQUENCE CONDITIONAL PROBABILITIES

Sequence Conditional

Probability

Sequence Conditional Probability

M

3.3 x 10-9

1.0 x 10-10

Sl°2 2.1 x 10-7 5.9 x 10-7

^ -, , de l l T D, Q

sg l s T D, Q1

sg 1 1 T D, ÖD

sg l

T D, L sg l

T R D k 4

R Q

2.0 x 10-11

6.3 x 10^-7 1.9 x 10-9

1.3 x 10-8 7.8 x 10-10 4.5 x 10-6

6.2 x 10-7

Total 9.6 x 10-6 Sensitivity 1 5.9 x 10-7 Sensitivity 2 2.4 x 10^-7

2.2 x 10-6

Q4 °4 T R PL D

R PL

3.1 x 10-7

4.5 x 10-7

6.2 x 10-8

Note: S includes S initiator frequency

32

actually did operate after pump 2A-A failed, but was not subjected to accident demands. In the first sensitivity case, the coincident failure of CCP 2B-B was assumed to be loosely coupled to that of CPP 2A-A with an independent probability of failure represented by the unavailability equal to one-half the surveillance interval. This value is 4.1 x 10 . When this value is used,-2 the conditional core damage probability becomes 5.9 x 10 . For the second sensitivity case, the failure probability of pump CCP 2B-B was assumed to be essentially unaffected by the degraded condition that was found during

subsequent inspection of the pump. The base PSA failure probability of -3 -7 3 x 10 was used. The resultant core damage probability is 2.4 x 10

The importance of the CCP failures(s) associated with this event is approximately bounded by the common mode failure case of 10 and the

independent failure case of 2.4 x 10 . The available evidence implies that-7 the common mode failure assumption most closely represents the risk

implications of the incident as reported.

Since the charging pumps have a significant impact on emergency boration, it is not surprising that ATWS sequences become most important with the

failure of both CCPs. This is followed by the much less significant small LOCA and steam generator tube rupture with safety injection system failure.

The reactor protection system, which was already of relatively high

importance, rises even higher. This is also true for a number of potential common cause failure points in the safety injection system (i.e. MOV-63-22, CKV - 6351, and both SI pumps).

It is interesting to note that the original PSA did not include a common cause failure of the charging pumps in the logic model. Only failure to run for the operating CCP and an independent failure to start, run or test and maintenance unavailability was included for the standby pump.

LICENSEE EVENT REPORT (1ER»

AFFftOVfO OMi NO IKPIMES * 11 •

ACIklTV NAMI HI

Sequoyah, U n i t 2

OOCKtr NUftWCN (2l

0 |S l o |Q |0 |3 [2 l el ! |OF| Q|8

• A» f

Of Gland Seal Bolts On Speed Increaser Lube Oil Pumpe Causes A Potentia I n o p e r a b i l i t y Of Both U n i t 2 Centrifugal Chare ing Pumps

flVCNT OATI ICI

jii

^{1|* 8}

O*f»ATINO MODI ttl

•*OWfH L C V f L 1101

8 4

0 ( 0 , 0

LEft MUM*!« l«l

8 8 ^—— O | o | 5— 0 1

—

——

N MZ<»>

M4MUII1MI*!

M 4MUII1IM

—

—

MPOftT DATE (71

oU 0 8 * J 8

Sequoyah, Unit 1 0 | 5 | 0 | 0 | 0 | 3 | 2 | 7 0 , S | 0 |0 | 0 | , ,

M «Ml«) M M(«lt!l M MKK2I M 7 «• NI MO

H7IUI12I('«I

E

——

•0 7>UH2H«t M 71UK2H*) M 72<«M2M**I

M 73l«M2M«MlM«l

I 7)711*1 J 7171UI

1 OTMÏ* ISO*'»* '»01,'».!

MfAl

L 1C I NIK CONTACT NAMC

Tom B. E

Rogers

. KilKore. Plant Operations Review Staff

AREA CODE

6 1 1 1 5 ₈!^{7 0[ -|7 0, 8| 7}

CO*WICTI ONC LIMi 'OH fACH COMPONfNT PAILUfll DftCMIttD IN TMI» MFOHT (III

I

|

1 1 I

1 1 1

1 1 1

1 1 1

CAUSt SYSTEM

1

1

COMPOSENT

1 1 1

1 1 1

t VIS Ht v* ta^»* fX'fCTlo SUIUISSIOH OATft 13 *°

MANU* AC TUHffl

1 t 1

1 E I

E x f C C T C O DAM (ill

•UWTA.KC TO N»<»0$

MONTH 0*> V E A «

I 1 1

AMTHACT U."<VT M '«00 I0*CM >

On February 12. 1988, *t approximately 1133 EST, smoke wa> discovered coming from the speed increaser unit for the 2A-A centrifugal charging pump (CCP).

Immediately, the 2B-B CCP was started, and the 2A-A CCP was stopped. Upon disassembly of the 2A-A CCP speed increaser. much of the internals were found damaged. Further investigation found the two gland seal (GS) retaining bolts inside the speed increaser lube oil pump (SILOP) backed out allowing the GS to loosen. The GS being loosened caused reduced oil flow to the speed increaser internals and ultimate damage. The 2B-B and 1B-B SILOPs were inspected, and the same GS bolts as on the 2A-A pump were found loosened. The cause of the bolts backing out was determined to be lack of a periodic adjustment of the GS bolts. It was discovered during investigation that the original SILOPs for 2A-A. 2B-B. and 1B-B CCPs had been replaced with incorrect SILOPs. The original 1A-A SILOP was not replaced with an incorrect SILOP. The replacement SILOPs had been ordered using an incorrect part number in April 1985. The replacement SILOPs for 1B-B, 2A-A. and 2B-B were rated for 900 rpm and incorporated a compression packing seal which requires periodic adjustment as the packing wears. The original SILOPs were rated for 1.800 rpm and incorporated a mechanical seal which does not require

adjustment. The major cause of this event was that the replacement SILOPs for 1B-B, 2A-A. and 2B-B were the wrong SILOPs that incorporated the packing seal, and no program was in place to periodically tighten the gland bolts. The 2A-A SILOP was replaced with an 1,800 rpm pump on February 15, 1988, and two new pumps (1,800 rpm) were procured for 1B-B and 2B-B and installation was completed on March 7. 1988. The 1A-A SILOP mechanical GS bolts were insepcted on April 7, 198B, and found to be satisfactory. To prevent recurrence, TVA has a new procurement program in place which provides additional independent review/verification of all plant initiated procurement documents.

34

»•CH.ITV NAMt (II

Sequoyah, Unit 2

DOC«! T NUMMlIt (21

o |S (0 |o | 0 | 3 | 2| 8 8|8

LI

__

H MUMM« 1*1

0 | 0 | 5 —

Mvit<OS

0 ( 1

rt

0 ( 2

01

OF

*

0 I 8 LICENSEE EVENT REPORT ILERI TEXT CONTINUATION

•fUCKAl MGULAfO«v COMMtcstON

AP**ovtO OMt NO 3IW-010-

This revision is being submitted to provide »n update of completed corrective actions and a restatement of the event analysis.

DESCRIPTION OF EVENT

On February 12, 1988, at approximately 1133 EST with unit 2 in node 4 (0 percent power, 350 psig, 2*7 degrees F) and unit 1 in mode 5 (0 percent power, 4 psig, 123 degrees F), «moke was discovered coming from the speed increaser unit on the 2A-A (unit 2, train "A") CCP (EUS Code BQ). Immediately, the 2B-B (unit 2, train "fl") CCP was started, and the 2A-A CCP was chut down.

The CCPs are utilized in the boron injection system for reactivity control and in the emergency core cooling system (ECCS) (EUS Code BQ). Both pumps are required to be operable in modes 1 through 4 by the plant technical

specifications (TSs). Since unit 2 was in mode 4 at the time, the action statement for TSs 3.1.2.2 and 3.1.2.4 were complied with immediately. This involved restoring both charging pumps to operable status within seven days or bring the unit to cold shutdown within the next 30 hours.

Disassembly of the 2A-A CCP speed increaser box was started later the same night, and upon disassembly, much of the internals were found damaged. Upon further investigation of the cause, it was discovered that the two gland seal retaining bolts inside the speed increaser lube oil pump had backed out with one bolt completely disengaged from the bolt hole and lying in the bottom of the pump casing. The lube oil pump is mounted on the side of the speed increaser and is driven by the speed inereaser low speed shaft. The pump recirculates oil in the speed increaser to lubricate the internal moving parts and to serve as a cooling medium in removing heat. The lube oil pump is a rotary gear type and incorporates a gland seal to seal around the shaft. The seal is provided to isolate the pump internal pressure from the external atmosphere.

The bolts being backed out allowed the gland seal to loosen and not provide the seal in which it was designed to perform. After evaluation of the pump design and discussions with the supplier (Westinghouse), it is theorized that the loosening of the gland seal allowed air to be drawn in, via the speed increaser housing, mixing with the oil and/or allowed oil from the pump to be forced through the loosened gland seal bypassing the normal flow path to the speed increaser internals. These conditions caused reduced oil flow to the speed increaser internals and ultimate damage to the internals. The speed increaser internals were replaced as necessary, and the lube oil pump was replaced with one from a spare speed increaser unit. After reassembly, postmaintenance tests were performed on the 2A-A CCP and speed increaser unit, and the pump was returned to operable status at 1857 EST on February IS, 1988.

f A C I L I T V NAMI (11

Sequoyah, Unit 2

OOCKCT MUM*!* »)t

o |5 |o |o |o | 3j 2|8 8 |8

LI

——

M *U*W(« It»

0 I 01 5 _ 0| 1

ft

0 | 3

GC

Of

>l

0 |8 LICENSEE EVENT REPORT (LERt TEXT CONTINUATION vfO OMI NO ÎISO-0'O*

• 11 •

As additional preventive actions, the 2B-B (unit 2, train B) CCP was tagged out of service on February 17. 1988, to inspect the lube oil pump gland seal for a similar condition. Upon disassembly, the gland seal bolts were also found backed out similarly to the train A pump. The bolts were retightened and a locktite sealant installed to prevent the bolts from loosening again during operation. Concurrence was obtained from Westinghouse that this would be an acceptable method for securing the bolts.

The 2B-B CCP was declared operable at OSOO EST on February 18. 1988. After evaluation of the similar condition on both unit 2 CCP*, it was determined that this condition alone could have prevented the fulfillment of this system's safety function. At 1218 EST on February 19, 1988, NRC was notified by phone of this condition in accordance with 10 CFR 50.72, paragraph b.2.iii. As further preventive measures, work requests (WRs) were prepared to inspect the speed increasers lube oil pumps on both unit 1 CCPs (WR B257714 for 1A-A and

WR B257712 for 1B-B). On February 2«, 1988, the oil pump for 1B-B was removed, and the gland seal bolts were found only fingertight. The bolts were

retightened and locktite sealer applied. The 1B-B speed increaser was also disassembled, and no damage was noted.

CAUSE OF EVENT

The cause of the 2A-A CCP speed increaser internals damage is attributed to the lube oil pump gland seal bolts backing out and subsequent loosening of the gland seal. This condition ultimately caused reduced oil flow to the speed increaser internals.

An immediate investigation was also initiated to determine the cause of the gland seal bolts backing out. Uestinghouse was consulted about this event, and oo other conditions of this nature had been reported by other customers.

Past vibration level charts on the speed increaser unit were reviewed, and no abnormal vibration levels were noted that should have caused the bolts to loosen. A 35 mil axial vibration was noted on the 2B-B speed changer in mid January 1988, but this condition was not considered to be the root cause of the bolts backing out since this vibration was only found on one pump/speed changer unit. The main cause of this vibration was found to be a misalignment of the electric motor to speed increaser low speed shaft coupling and was corrected on January 1*. 1988.

36